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Major Incidents in Korea 
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Corp, disconnecting five million customers from the web 


2005.6 | 224,400 cases of ID theft were identified by NCSoft (online game company) 


2003. 1 A computer virus shut down servers at the country's largest Internet service provider, KT 


2008.2 | 10,810,000 cases of ID theft were identified by Auction Korea (online shopping company) 


7.7 DDoS attack to portal sites, online bank and government's homepages in US and 
4 2009. 7 
South Korea occurred 
2011.9 | 35,000,000 cases of ID theft were identified by SK Communications (portal site) 


2013.3 Major television broadcasters and banks were under cyber attack 
| (48,700 PCs, Servers and ATMs were damaged) 


The websites of S. Korea's presidential office, government agencies and some media 
7 2013. 6 ee 
organizations were attacked 
Ed 2014. 1 85 million personal information from KB Card, NH Card, Lotte Card has been disclosed 
Sa 2014.3 | 9.8 million personal information from KT has been disclosed 
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March 4t" 2011 DDoS Attack 


|. ] March 4th DDoS attack in 2011, evolved from July 7th DDoS in 2009 


Overview — DDoS attack targeting 40 major Korean websites 


Portal/Shopping Mall 


a, i Classification Mar 4 Jul 7 
7 # of Zombie PCs 116,299 115,044 


Financial Institute i 
inanci Itu target websites 


40 36 
# of Blocked C&C servers 748 538 
# of destroyed HDDs 756 1,466 


March and July DDoS attacks are similar in used no. of exploited zombie PCs and infection method 
however March DDoS attack Method is more Intelligent and destructive than July DDoS 


March 4 DDoS Attack Target 


Implications J 
Dog and cat fight between KISA and Hacker 
Vaccine distribution via www.boho.or.kr => Block zombie PC's access to www.boho.or.kr 


Effective defense against DDoS Attack — Destroy HDD just after the infection 


Hard disk damage prevention guideline =» HDD is destroyed even at safe mode booting 


March 20* 2013 Cyber Attack 


@ Attack on 6 broadcasting and financial companies which destroyed 48,700 PC, Server, ATM 


- Distributed MC through “Weather.com” and infected 800 PCs (March 25th) 
- Destroyed 58 Digital YTN website servers (March 26th) 
- Deleted data from 14 conservative groups’ website (March 26th) 


e Recovered to normal operation (March 29th) 
- Recovery of 58 Digital YTN web servers (April 12th) 
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March 20'^ 2013 Cyber Attack 
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Recent Incidents in Korea 
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Recent Incidents in Korea 


e Attack Flow to Nuclear operator 


p -— LL co LL LL LL LE LL LL = LL LE LE LL LE LL LL LL LE LL EL LE LE LE LL EL LL e LL LE LE LE LE LL LE LE 2 2 LL LE 2 LL EL 2 LL Å- 
i 

i 

i 

! 
' 1.Information Spill t 
i 

| Retiree ID... # D —— — — — —» Personal 
community info 

i 

i <= A iL — —. E-mail 1 
i 

| Phishing Mail Retiree customer account 

v 


Mm ———] | + Document 


Malicious Code customer in PC 
Foreign IP ul : 
SIE 2.Attack 
6,000 email Failure in Attack Employee PC ; 


H 
PEER EERE EEE EEE TT TT TITTI TT TITTI TT TITTI TZ TIT TTT TT TIZI TT TIZI TITTI TITTI TTT TZ TI TI LZ IONI 


gr nr 


3. Disclosure and Threat 
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Major Personal Information Infringements Incidents 
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KISA (2014) for Korea Data, McAfee (2014) for Foreign Data 


SI Cyber Security Policy & Response 
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History of Korea’s Information Security Policies(1/2) 


* Established" Act on the Protection of Information and 


Communications Infrastructure 4 


* “Act on promotion of digitalization of administrative 
* Executed Simulated Cyber Warfare on works, etc. for realization of electronic government, 
Eulji Exercise -” the law regarding the promotion of information and 
* T the law regarding the promotion of communication network use; was reformed as ” the law 


computing network dissemination, expansion regarding the promotion of information and 
and use 4 was reformed as "the law regarding | communication network use and protection of 
the promotion of information and informations 
KIISC Established communication network use; *Established Korea Information Assurance Society (KIAS) 


*Established "Basic Guideline of National * Korea Information Security Center escalated as 
Information & Communication Security 4 Korea Information Security Agency 


*Established " Electronic Signature Act : 


1986 


Established “the law regarding the 
promotion of computing network 
dissemination, expansion and use 4 


1964 : 4 P Established National Security Research Institute (NSRI) 
Established "Security Operation Rules : 


(Presidential Decree)-Enforcement : * Established Korea Information Security Industry Association (KISIA) 
Rules (Presidential Directive) 4 = * Developed the 15 domestic block protection algorithm 
= - E * Enforcing information security system evaluation/certification system 


* Launched the Ministry of Information & Communication 
- Reshuffled to expand the Ministry of Communication and absorbed/merged functions related to information & communication 
from the Ministry of Science & Technology/the Bureau of Public Information/the Ministry of Commerce, Industry & Energy 


* Held the first information security conference in Korea 
- The 15t Workshop on Information Security and Cryptography (WISC) 


Established “Regulations of Information & Security Work Planning Coordination (Presidential Decree) ; 
- Regulating planning & coordination procedures & method on national communication security works 


SS BPbGGLLULKCL/TLLLLUICLÁLLLtL 
History of Korea’s Information Security Policies(2/2) 


* Enforced” Personal Information Protection Act 5 
* Financial Institute hacking accident occurred 


* 3.4 DDoS Infringement accident occurred 
*Established Korea Internet & Securit 


Agency (KISA) 


*7.7 DDoS Infringement accident 
occurred 


* Established/enforced National Cyber Security 
Master Plan 


* Designated as a private information 


security product evaluation institute *Established Comprehensive National 


Cyber Crisis Countermeasure 


*Launched Knowledge Information 


* Established National Cyber Security Management È Jar 
Security Industry Association (KISIA) 


Regulations (Presidential Directive) 


* Held the 15t Cyber Security Day UTEM 


: : : i * 6.25 cyber attack occurred 
*Established KISA Internet Infringement : i = : * Established Cyber Security Master Plan 
: E à i * Established Cyber Security Industry 
Development Plan 


* 1.25 Internet Crisis occurred 


Accident Response Support Center 


*Developed Block Cypher Algorithm for civil 
administration services (ARIA) 


* Established Cyber Command 

* Diversified authorized electronic financial transaction 
certificate measures 

* Overall amendment off Electronic Government Act 4 


*Each government ministries share to carry out information security functions 
upon reorganization of the government 
- Korea Communications Commission: Information Security in private sector 
* Subscribed CCRA - Ministry of Public Administration and Security: e-Government civil service 
Certificate Issuance protection, major information & communication infrastructure protection, 
: s mene Country Personal Information protection in public sector 
“Established ' Basic Guideline for | , Executed Joint National | -Ministry of Knowledge Economy: Information Security industry cultivation & 


7 ; National Crisis Management BR s : a 
- Published the 15t National (Presidential Directive) & National Cyber Crisis Response technology development, Professional Information Security manpower 


Information Security Whitepaper | Cyber Crisis Management Manual, Exercise cultivation 


* Established National Information| .Established National Cyber Security 
Security Association (NISA) Center 


* Established CC 


*Established security control centers for top 10 key areas including defense / 
foreign affairs/administration, etc. 
-Constructed the nationwide security control system 


The structure of Cyber Security law in Korea 


Private EDU 


Public Sector 


| National Cyber Security 
Management Regulation 
-1 in public institutions = 
Network Act 


E-government Act 


Electronic Signature Act oe 
: for people - 


Personal Information Protection Act 


—ÓO 
| | IT Network Act 


X IT Network Act(= Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.) 


National Cyber Security Framework 


Warning Level Criteria for warning Measure 


© Organize crisis center 


A © Internet © Private-Public Joint 
>Subject : MSIP communications investigation group 


for National Crisis > Tork | " 
m D » Prior consultation with National | paralysis ^ Block specific service 
crisis management office X Overall response 


Senior Secretary > Issue critical warning 


z= to the President 


va 


^ Notify specific service 


> Issue severe oMultiple ISP network Pone 
"x i 5 and infrastructure ; A , 
National Minist of Science Ministry of »Subject : MSIP SIG ^ Public promotion (Media) 
e Intelligence «> ICT & Future C» è 7 National » Prior consultation with National : ^ Emergency work system 
Service Planning, , Defense crisis management office omasse damages X Rapid response 
c ^ Local A ^ Assess damages and 
Communications report 
: disorder 
»Subject : MSIP ^ Emergency work system 


© Internet-related di. 


National Cyber Military Cyber Disorder 
Security Center Command & Fre E 
Control Center o ^ Increased possibility I 
"a rd of security incident ^ Tighten monitoring 
National or All Troops in S - expansion o Emergency work system 
N Internet & Security À at >Subject : MSIP and damages x ; 
Public Sector | nyng Military Sector 2 J g X Observe signs 


» Common response by level 

© Consult on information (NIS, MND) and report to 
BH National crisis situation center 

© Analyze cause, prevent damage expansion and 
support recovery 


KISA under MSIP in charge of Cyber Security of Private sector 
Y Most security incidents including zombie PC occur in private sector and KISA is responsible for that incidents 


Cyber Threat Warning System (Normal, Moderate, Substantial, Severe, Critical) 
Y MSIP/KISA is in charge of issuing cyber security alarm(Composed of 5 threat levels) for the private sector 


Cyber Threat Response Cooperation System 


Publi 


© 


Related organizations in Korea Raise - awareness and Related organizations abroad 


Responsible © NIS 
Organization o MND 


Malware Sample & 
Analysis Report, 
Investigative * Supreme Incident Escalation 


Agency Prosecutor's office — 
9 National Police 


Block malicious site, 
notify zombie PC 
and request treatment 


© KT 
e LG U+ 

© SK broadband 
e Dreamline 

o Onse telecom, 
© 112 others 


treat malicious code 


m Ministry of 
Science ICT & 
p \ Future Planning 


KISA 


Share malicious code 
& analysis result, 
Remove zombie PC, 
Block C&C server 


Share malicious code 
and produce 
dedicated vaccine 


Share security incident information and 
request to check failure of network 


KISC(KrCERT/CC) Mission and Organization 
Mission ___ 


e 7days/24hours Monitoring, Early Detection/Response on Cyber Attacks in Private sector 
e Rapid Response for Nation-wide Major Internet Incidents to Prevent and Minimize damages 


e Cooperation with Domestic(ISPs, Anti Virus Companies), and Foreign Partners (FIRST, APCERT, 
Microsoft, Symantec, etc) 


Organization Korea Internet Security 


Internet Incidents 
Analysis Division 


Infrastructure Protection 
Division 
Internet Incidents Critical Infrastructure 
Protection & 


i 3 Internet Incident e-Government 
Analysis Planning ae . 

Investigation Team i Security Team 
Team Planning Team 


: Vulnerability Analysis MM IT Security Evaluation Information Security 
Code Analysis Team 


Team Team Management Team 


Security Monitoring Room 


e Security Monitoring Detail 

- Traffic : 158 Domestic ISP/IDC/MSO/MSSP Traffic, Ports, Protocols, Attacks 

- Web Servers : 600+ Major Domestic Web servers 

- DNS : 13 Root DNS, 6 KR DNS, 12 Major Domestic ISP DNS 

- Security Information : Major Anti-Virus, System/Software/Security Company sites 
- Honey-net / Honey-pot 

- Monitor web-embedded malicious code : 2.3 Mil Domestic Websites 

- Hotline (ISPs, Anti-Virus Companies, NCSC, etc) 


* Incident Call Center Services 
- Call Center for Incidents Response & Private Outreach : +82-118 (free) 


Response Procedure(KISC) 


KISC's security incident response system 


Recovery 
SUP US aif aie 


Internet user (corporation, 
individual) 


Korea Internet Security Center 
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Cyber Attack Response System 


DDos Defense System 


=» Early DDoS attack detection at Internet Exchange(IX) node 


IX Router IX Router 


DDO -7c DDoS 
Detection 80005 aa “Detection & 
Protection A ae Protection 
System jc System 
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mc, Internet Biz company, IDC, Internet Biz company, 


Internet Service Provider, etc 


Internet Service Provider, etc 


DDoS Attack Traffic_--------- > 


Cyber Attack Response System 


Establishing 
a malicious 
Code 
distribution site 


2. Automatic redirection to the 
distribution site without 
the user's knowledge 


Distribution 
site 


Securing a 
redirecting site 1. User visits the 


by hacking the | MB /^ redirecting site 
Homepage ti 


3. User PC is infected by 
malicious code 


PR 


Delivery site _ 


x nn” 
4. Information leak © Use O| 
(ID,Password) 


Cyber Attack Response System 


Overview diagram of detecting and handling a malicious code-hiding site 


Domestic homepages (2 million) 
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KISA'S detection and 
countermeasures: 


Blocking (overseas) Deletion (domestic) 


«Requesting measures to the 
homepage administrator via 
phone or official letter 


* Malicious code deletion 
(domestic) 

* Homepage blocking 

(overseas) 


* Monitoring domestic homepages 
e (2 million) to detect hidden 
malicious code (8 hours/day) 


Cyber Attack Response System 


Cyber Curing System 


Excessive traffic and connection error ra 
Internal detection by E mr 


a KISA 01:09 Action A1 W ; W 
E or report by the victim 01:09 Action A2 Pl H 

È : 01:09 Action A3 EU y. 
zu organization 01:09 Action A4 


NET = 2. Classify and send the infected IP 


01:09 7 
01:09 Acti = A T - 
ra (classification by service provider 


1. Secure the infected IP and sending by KISA) 


3. Identify the infected PC with the infected IP 


(ISP's subscriber retrieval system) 


5. Treat the infected PC with the 


dedicated vaccine I e 
P Shan: dE i 


Cyber Attack Response System 
| 


= The line bandwidth exhaustion attack can be blocked in advance in cooperation with the line provider 
before shifting to Cyber Shelter. 


= The web server resource exhaustion attack, which can cause serious deterioration of server availability 
with a small volume of traffic, can be prevented by applying the analysis result to each defense 
equipment through application layer traffic analysis and identification. 


Cyber Attack Response System 


:; Develop i 
‘dedicated patch ` 


Overseas - 
fl Vulnerability Obtain 
Vulnerabilit 


Vulnerability 
Info. Sharing Company 


Security 
Vulnerability es: Vendors 
Analyzer <National Vulnerability Related 
expert Database» Organization 


International Cooperation to Response 


~~~ Zombie PCs 
ped “In Asia . . tigi + ES 
a LE" s> TargetServer 
Hacker. ^ In N. America 
in Europe. x 
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In Africa 
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EB Recent Cyber Security Strategies 


Recent cyber security Strategies 
e lol Security Roadmap(November 2014) 


Vision The World| Best Smart & Safe loT Nation 


| Infrastructure: Technology : Industry : 
Security Native Security Frontier Security Premier 
Strategy 
__ 


Provide Security- Develop leading Strengthen 
embedded loT global loT security competitiveness of 
Infrastructure technology loT security industry 


* Integrating security in the loT service of 
the 7 industries 

* Establishment of "Comprehensive 
response system against loT cyber threats 

* Securing reliability for safe loT products 

and services 


Missions 


* Developing 9 key technologies for 
loT security 

- Device dome, network dome, and 
service dome technology 


* Developing loT R&D open 
innovation system 


* Identifying and nurturing excellent security 
enterprises 

* Creating demand for loT security product and 
service 

* Nurturing customized "loT Security Brain | 
combining ICT and security 


Recent cyber security Strategies 


e K-ICT Security Master Plan (April 2015) 


Creating a future growth engine 


Developing original security tech 


Promoting information security demands 
and investments 


e Securing the global Security Tech initiative 


* Developing convenient security tech 
Expanding new Information Security for user 


markets i.e. convergence security + Conducting global open R&D 


Diagnosis of cyber security in 
major private facilities 


Building CISO hotline 


Building the nation-wide one-stop 118 * Reinforcing the infrastructure 


information security for fostering top security experts 


Reinforcing national cyber resilience 


| Cultivating security manpower | 
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Recent cyber security Strategies 
e Cloud Security Strategy(Sept. 2015) (1/2) 


Vision Secure Cloud Country [safe K-Cloud] 


3.3%[vear 2014] Æ above 40%lyear 2019] 


1. Reinforcing managerial & technical protective measures with 
the implementation of Cloud Development Act. 


2. Cloud service user protection & continuous development of 
service protection measures 


3. Maintaining the consistency with the security policy 
associated with the K-ICT Security Master Plan 


Direction 
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Recent cyber security Strategies 


e Cloud Security Strategy(Sept. 2015) (2/2) 


Promotion of info, 


e n 


Support % > M 
System on 


Provider | User LS. Industry 


E Preemptive policy measures P 


Set info. security standards Provision of personal S. system Secure core technology 


Projects 


Organization Fi 


Transparent info. security situation Damage prevention system Manpower training 


Build inadent response system Enhancement of convenience . Supporting Cloud security company 


Global Cybersecurity Center for 
IV Development & CAMP 


SS 
Global Cybersecurity Center for Development 


| Objective * cocco 


Supporting Cyber Capacity Building for Developing Countries 
Sharing Practical Cyber Security Knowledge & Experiences 


Framework 


9 Positioning : A global institute in charge of enhancing cyber security capabilities for public officials 
9 Formation 
- Established as a virtual organization within the KISA at the moment 
- but it will transform its own characteristics toward an international institute 
based on close cooperation with international organizations and individual countries 


Major role 


: * Invitation-based Training & Joint Local Seminars 
* Online Hacking Simulation Test 


* Establishment of Cybersecurity Master Plan 
(eec) * Consulting Cybersecurity Policy & Strategies 


* Diagnosis of Critical Information Infrastructure Protection 


Networking Partnership with International Organizations 
oF Hosting Global Conference and forum 


Global Cybersecurity Center for Development 


Chronology ŸGCCD 


| GCCD Training 
Legal Ad 
egal Advisory on Establishment of - National Cyber 


MoU between Korea 
Communications Feasibility Study on 
GCCD's Organizational GCCD à 3 
Form in Seoul, Korea Security Policy Course 


Commission & World GCCD Establishment 
Bank Group 


Phase 1 ('15 ~ '16) MM '15.06.29 : Establishment of GCCD 
e '15.04~08 : Development of Training curriculum and materials 


Emenee e '15.09~12 : Opening up official homepage > 
operation M sa 
e '15.09-12 : Invitation-based Training and Korea-WB local 


'15.08~10 : Collaborating with Oxford Cyber Security Capacity Center 
'15.10~12 : Register as an Initiative of GFCE(Global Forum on Cyber Experts) ^ 
'16~ : Online education platform, information security consulting, 


expanding external partnership with domestic/international das 


Phase 2('15 -) 


External 
Partnership 
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CAMP(Cyber-security Alliance for Mutual Progress) 


Major cybersecurity threats all over the world 


lip Mar 
raine Wal 


e Bb o a i a 2012 | morawa — 2014 
Time : Mid 2009 ~ Jan 2010 Time : Nov 2010 ~ Mar 2011 Time : May oe È 
Target : 30 companies including Google, Adobe, Juniper Target : G20 related files which France Government holds Target = Ukang Re 
Damage : Confidential data leakage and falsify the code Damage : PC access attempts to more than 150diplomats Dre O08, concent 


Flame Malware Statistics 


Attack Middie-East Attack 


Stuxnet Night Dragon RSA Attack 

du ODE MER MES iiid o e Cyber-Espionage — — 

Time : Mar ~ Nov 2010 Time : Nov 2009 - Feb 20112 Time : April 2011 Time : May 2012 

Target : Iran Nuclear SCADA Target : Energy Company Website Target : RSA Target : Middle East Countries 
Damage : Stopped Damage : Closed Damage : Secure ID information! Damage : Classified information leakage 
Nuclear Plant Operation Leakage 


Cybersecurity cannot be handled by a single country or 
organization 


Information Security is an endless marathon between shield and spea 
Global collaboration is essential to better response 


CAMP(Cyber-security Alliance for Mutual Progress) 
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Oman Ria Thalgqge Visinam ~ ^ 
== Ghana Ethiopia mi. Ma Cambodia ii =" i 
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. anda ——— MN Cybersecurity Alliance for Mutual Progress mmm Colombia 
| Tanzania BE per 
= Chile 
New Zealand 
PESA ENTE Personal Data Critical Infra. 
Area . Response - Protection Security Protection 
Education and Information i 

the cybersecurity training in sharing on arene on” 

Mode policy | information cybersecurity incident response 
| EE security | | framework | 
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CAMP(Cyber-security Alliance for Mutual Progress) 


| Progress | 


e 2015. July : CAMP Preparatory Meeting 


e Participants : 60 Officials from 28 countries(Ministry, government agency, Security firms, etc.) 


* Achievements : CAMP promotion plan establishment, Statement on CAMP launching 


2015. 9 
. 2015.11 . 2016. 1-2 2016. 3 
Secretariat Drawing up a list Member country Invitation Official Launch and 
Establishment of the signatories and RSVPs Inaugural meeting 


2015. 7 2015. 9 2015. 10-12 
Preparatory GCCD Expert Local Seminars 
Training Course 


Meeting 
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